只允许一个SSO用户访问资源的策略
【以下的问题经过翻译处理】 我们正在将所有的IAM用户迁移到 AWS SSO中。 我们曾经为 SageMaker 使用这个策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:DescribeNotebookInstance",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance"
],
"Resource": "arn:aws:sagemaker:::notebook-instance/${aws:username}*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
这使每个用户可以使用自己的 notebook。 现在在新的SSO权限集中,我给出了以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:*"
],
"Resource": "arn:aws:sagemaker:::notebook-instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance"
],
"Resource": "*"
}
]
}
我进行了尝试但它不能正常工作
- 最新
- 投票最多
- 评论最多
【以下的回答经过翻译处理】 我了解到您目前正在尝试使用SSO身份的UserID限制对Sagemaker笔记本的访问。
目前,我利用您提供的SSO权限集并进行了微调,如下所示,并最终通过以AWS SSO用户身份登录的方式,在AWS SageMaker控制台上进行了测试,成功查看/停止/描述了与SSO UserID对应的SageMaker笔记本(带有标签-Owner:UserId)。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl"
],
"Resource": "arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/*",
"Condition": {
"StringEquals": {
"sagemaker:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
然而,如果此SSO用户尝试停止任何其他没有与其UserId对应的标签的Sagemaker笔记本,则预期行为会出现以下错误:
User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:StopNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/userachecking because no identity-based policy allows the sagemaker:StopNotebookInstance action
或
User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:DescribeNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/Test1Check because no identity-based policy allows the sagemaker:DescribeNotebookInstance action
此外,请注意,与您提供的IAM策略不同,您的SSO权限集策略缺少操作-“sagemaker:ListNotebookInstances”,这也会在我的测试中因无法列出AWS SageMaker控制台上的笔记本实例而引发错误。因此,我也在您的权限集中添加了适当的Sagemaker列表操作。
附加信息 -
a. $ {identitystore:UserId} - AWS SSO身份存储中的每个用户都分配了唯一的UserID。您可以使用AWS SSO控制台并导航到每个用户或使用DescribeUser API操作来查看您的用户的UserId。[1]
b. ListNotebookInstances - 返回AWS区域中请求者帐户中的SageMaker笔记本实例列表。[2]
c. ResourceTag - 您可以使用ResourceTag / key-name条件键来确定是否基于标记允许对资源的访问。[3] [4]
d. sagemaker:ResourceTag / - 按附加到资源的标签键和值对的前缀字符串过滤访问[5]
e. sagemaker:ResourceTag / $ {TagKey} - 根据标记键值对过滤访问[5]
参考:
[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/using-predefined-attributes.html
[2] https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_ListNotebookInstances.html
[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
相关内容
AWS 官方已更新 8 个月前- AWS 官方已更新 6 个月前
- AWS 官方已更新 2 年前